New Mirai botnet behind surge in TVT DVR exploitation

A significant spike in exploitation attempts targeting TVT NVMS9000 DVRs has been detected, peaking on April 3, 2025, with over 2,500 unique IPs scanning for vulnerable devices. The attacks attempt to exploit an information disclosure vulnerability first disclosed by an SSD Advisory in May 2024, which published the full exploitation details on retrieving admin credentials in cleartext using a single TCP payload. The exploitation results in an authentication bypass, allowing attackers to execute administrative commands on the device without restriction. According to the threat monitoring platform GreyNoise, which detected the exploitation activity, it's likely tied to a Mirai-based malware that seeks to incorporate the devices into its botnet. Typically, infected devices are then used to proxy malicious traffic, cryptomining, or launch distributed denial of service (DDoS) attacks. In the past month, GreyNoise logged 6,600 distinct IPs associated with this activity, with all of them ... Read full article.